ACPI interpreter security

I've been looking recently at a variety of firmware rootkit sample code,
and discussions of how to mitigate it.
I am particuarly intrigued by the occasional mention I see that some
operating systems "sandbox" the ACPI AML interpreter, executing it with
most of the kernel memory unmapped.
How hard would it be to do this in NetBSD?
--
Thor Lancelot Simon
tls%panix.com@localhost
But as he knew no bad language, he had called him all the names of common
objects that he could think of, and had screamed: "You lamp! You towel! You
plate!" and so on. --Sigmund Freud